TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TS / trusted-services / af77b4798827fb41363326f3d22b0ad020a43194^! / . / components / service / crypto / client / cpp
commitaf77b4798827fb41363326f3d22b0ad020a43194[log] [tgz]
authorGabor Toth <gabor.toth2@arm.com>Fri Apr 05 11:19:37 2024 +0200
committerGabor Toth <gabor.toth2@arm.com>Mon Jun 10 12:10:20 2024 +0200
treee46cd02921607549c951014f4824c0ef4cfbe24d
parent2d4d29f5556c9838844378462652c8ec2b400839 [diff]
Support authentication of uefi priv. variables

To authenticate private uefi variables a fingerprint has to be
calculated based on the common name of the signing certificate's
Subject field and the tbsCertificate of the top-level issuer
certificate.
These variables have a public key certificate attached so the
verify_pkcs7_signature_handler is also reorganized to be able
to verify its own signature with its internal public key.
This commit implements the changes needed for the described
functionality.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: Ida22977f3ef1a730ea95834ca5c9f9e4ed78d927

diff --git a/components/service/crypto/client/cpp/crypto_client.h b/components/service/crypto/client/cpp/crypto_client.h
index 6792a17..80fbe24 100644
--- a/components/service/crypto/client/cpp/crypto_client.h
+++ b/components/service/crypto/client/cpp/crypto_client.h

@@ -240,6 +240,10 @@
 					   uint64_t hash_len, const uint8_t *public_key_cert,
 					   uint64_t public_key_cert_len) = 0;
 
+	virtual int get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert,
+						       uint64_t signature_cert_len,
+						       uint8_t *output) = 0;
+
 protected:
 	crypto_client();
 	crypto_client(struct rpc_caller_session *session);

diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
index aaa71f0..4791feb 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp

@@ -428,3 +428,12 @@
 						    hash, hash_len, public_key_cert,
 						    public_key_cert_len);
 }
+
+int packedc_crypto_client::get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert,
+						  uint64_t signature_cert_len,
+						  uint8_t *output)
+{
+	return crypto_caller_get_uefi_priv_auth_var_fingerprint(&m_client, signature_cert,
+								signature_cert_len,
+								output);
+}

diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
index 8d4f60c..ec6c51c 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h

@@ -236,6 +236,10 @@
 	int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
 				   const uint8_t *hash, uint64_t hash_len,
 				   const uint8_t *public_key_cert, uint64_t public_key_cert_len);
+
+	int get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert,
+				    uint64_t signature_cert_len,
+				    uint8_t *output);
 };
 
 #endif /* PACKEDC_CRYPTO_CLIENT_H */

diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
index 6bae7a8..1170255 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp

@@ -1174,3 +1174,14 @@
 
 	return PSA_ERROR_NOT_SUPPORTED;
 }
+
+int protobuf_crypto_client::get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert,
+							       uint64_t signature_cert_len,
+							       uint8_t *output)
+{
+	(void)signature_cert;
+	(void)signature_cert_len;
+	(void)output;
+
+	return PSA_ERROR_NOT_SUPPORTED;
+}

diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
index 9ad43f7..52f8a02 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h

@@ -237,6 +237,10 @@
 				   const uint8_t *hash, uint64_t hash_len,
 				   const uint8_t *public_key_cert, uint64_t public_key_cert_len);
 
+	int get_uefi_priv_auth_var_fingerprint(const uint8_t *signature_cert,
+					       uint64_t signature_cert_len,
+					       uint8_t *output);
+
 private:
 
 	psa_status_t asym_sign(uint32_t opcode,